[ previous ] [ next ] [ threads ]
 
 From:  "Chris Severance" <severach at users dot sourceforge dot net>
 To:  m0n0wall at lists dot m0n0 dot ch
 Subject:  Racoon and Monowall IPSec VPN with public IPs
 Date:  Fri, 11 Apr 2008 15:14:55 -0400 
Example: 1.1.1.x and 2.2.2.x are public IPs. 

Monowall is able to form a private to private IPSec VPN just fine and
there is plenty of documentation and examples for this. The main
requirement is that you need to make the two subnets different. Using
this type of VPN is no problem if you have complete control of both
ends.

vpn192.168.0.10::peer1.1.1.1 <-> peer2.2.2.2::vpn192.168.1.10

Eventually this runs into the problem where you get a collision of RFC
1918 subnets and you can't change them. The solution is to map the
private IPs to public IPs and form an IPSec VPN between the public IP
addresses. A large company with many VPNs will have already done this
and using public IPs will be a matter of policy.

I'm trying to remove a Pix used in a production environment and put in a
Monowall to handle existing connections and I can't find any
documentation or examples for this kind of VPN and I haven't been able
to stumble on the right solution.

One combination not only doesn't work, Internet access is completely
blocked. Perhaps the Monowall scripts should warn about or block this
improper use of addresses.

vpn192.168.0.10::peer1.1.1.1 <-> peer2.2.2.2::vpn2.2.2.3

The other combination which looks like the way that the Pix does it
does not block the Internet but the VPN still doesn't work. 

1::1-mapping: 192.168.0.10::1.1.1.2
vpn1.1.1.2::peer1.1.1.1 <-> peer2.2.2.2::vpn2.2.2.3
presumably the other end has a similar 1::1-mapping

One fault of this technique is that 192.168.0.10 is exposed to the
Internet because the 1::1-mapping is not secure. It's not even clear
that a 1::1-mapping is the right way to expose the private IP or whether
or not exposing the IP is necessary at all. It also seems that once a
1::1-mapping is set up a VPN is no longer necessary. The target can be
hit directly across the Internet.

The Pix seems to use firewall rules to get this VPN to pass through the
firewall. If such rules are required there is no documentation in
Monowall, pfSense, or racoon that shows what the needed rules are.

To enable Monowall usage with larger companies someone needs to make one
of these IPSec VPN's with a public IP address without insecurely
exposing their private IP to the Internet then document how it is done
or report the missing functionality to the racoon devs.